Reining in the Data Traders: a Tort for the Misuse of Personal Information

In 2005, three spectacular data security breaches focused public attention on the vast databases of personal information held by data traders such as ChoicePoint and LexisNexis, and the vulnerability of that data. The personal information of hundreds of thousands of people had either been hacked or sold to identity thieves, yet the data traders refused to reveal to those people the specifics of the information sold or stolen. While Congress and many state legislatures swiftly introduced bills to force data traders to be more accountable to their data subjects, fewer states actually enacted laws, and none of the federal bills were taken to a vote before the election in 2006. In large part, individuals remain powerless to discover the information a data trader holds about them, to discover what information was sold or stolen, to prevent data traders from using their personal information in unauthorized ways, or to hold data traders accountable for lax security. The Article argues that a new common law tort should be used to force reform and accountability on data traders, and to provide remedies for individuals who have suffered harm to their core privacy interests of choice and control-choice about who may receive their information, control over the information revealed, and how the recipient of that information may use it. The Article examines the current legislative and common law regimes, concluding that there are no effective remedies for individuals who have suffered harm from data misuse. Given the ineffective legislative response to the security breaches of 2005, the Article argues that the existing scheme of common law privacy torts should be expanded to create a new tort for information misuse. The new tort borrows from existing privacy torts-in particular, the tort of appropriation-and existing privacy statutes, importing the Fair Information Practices from the Privacy Act of 1974 as a standard of care

The Boundaries of Privacy Harm

Just as a burn is an injury caused by heat, so is privacy harm a unique injury with specific boundaries and characteristics. This Essay describes privacy harm as falling into two related categories. The subjective category of privacy harm is the perception of unwanted observation. This category describes unwelcome mental states—anxiety, embarrassment, fear—that stem from the belief that one is being watched or monitored. Examples of subjective privacy harms include everything from a landlord eavesdropping on his tenants to generalized government surveillance. The objective category of privacy harm is the unanticipated or coerced use of information concerning a person against that person. These are negative, external actions justified by reference to personal information. Examples include identity theft, the leaking of classified information that reveals an undercover agent, and the use of a drunk-driving suspect’s blood as evidence against him. The subjective and objective categories of privacy harm are distinct but related. Just as assault is the apprehension of battery, so is the perception of unwanted observation largely an apprehension of information-driven injury. The categories represent, respectively, the anticipation and consequence of a loss of control over personal information. This approach offers several advantages. It uncouples privacy harm from privacy violations, demonstrating that no person need commit a privacy violation for privacy harm to occur (and vice versa). It creates a “limiting principle” capable of revealing when another value—autonomy or equality, for instance—is more directly at stake. It also creates a “rule of recognition” that permits the identification of a privacy harm when no other harm is apparent. Finally, this approach permits the measurement and redress of privacy harm in novel ways

The Digital Person: Technology and Privacy in the Information Age

This is the complete text of Daniel J. Solove\u27s book, THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE (Full Text) (NYU Press 2004) explores the social, political, and legal implications of the collection and use of personal information in computer databases. In the Information Age, our lives are documented in digital dossiers maintained by hundreds (perhaps thousands) of businesses and government agencies. These dossiers are composed of bits of our personal information, which when assembled together begin to paint a portrait of our personalities. The dossiers are increasingly used to make decisions about our lives - whether we get a loan, a mortgage, a license, or a job; whether we are investigated or arrested; and whether we are permitted to fly on an airplane. Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. Do these developments pose a problem? Is it possible to protect privacy in a society where information flows so freely and proliferates so rapidly? THE DIGITAL PERSON seeks to answer these questions. This book explores the problem from all angles - how businesses gather personal information in massive databases; how the government increasingly provides this data to businesses through public records; and how the government is gathering personal data from businesses for its own uses. THE DIGITAL PERSON not only explores these problems, but also provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of privacy, one that is appropriate for the new challenges of the Information Age. He argues that although the use of digital dossiers can create Orwellian harms of surveillance, they often create a different kind of problem best captured by Franz Kafka’s The Trial — a sense of helplessness, vulnerability, and frustration when entities use vast dossiers of data but refuse to provide people with sufficient knowledge and participation in the use of the data. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world

The role of privacy management in brand protection and brand value

xxii, 357 leaves : colored illustrations ; 29 cmIncludes abstract and appendices.Includes bibliographical references (leaves 293-317).There are more privacy issues and concerns with the use of a growing number of invasive technologies. This research determines if there is a role that privacy management plays on brand protection and brand value. An extensive literature review was conducted and a proposal for a new privacy-brand model, with hypotheses connecting 4 constructs: privacy practices (PP), brand protection (BP), experienced harms (EH), and brand value (BV) was proposed and then enhanced with the privacy concerns (PC) construct. A preliminary survey was conducted to capture up-to-date privacy concerns from experts in security and privacy. The findings informed a formal survey instrument, Privacy Management Survey, which included both new and existing scales for the constructs that were subsequently validated. Study 1 contributes major themes for privacy concerns related to private information, using NVivo to analyze the qualitative data: (1) unauthorized access (2) misuse, particularly financial information, which is the area that is most harmed in identity theft (3) unauthorized disclosure (4) huge scope of privacy loss, and (5) need for better privacy protections. Two versions of the privacy-brand models were studied: one without privacy concerns (study 2) and one with privacy concerns (study 3). The constructs for all models were extracted using principal components analysis in SPSS, and their relationships confirmed using structural equation modeling in AMOS. The Privacy Management Survey was widely deployed to collect empirical data (N = 315) and (N = 205 holdout sample) to test the hypotheses of the privacy-brand model related to an organization. This work contributes a new model connecting privacy practices, experienced harms, privacy concerns, brand protection, and brand value to the management, management information systems, marketing and risk literatures. Empirical testing of the hypotheses has confirmed that privacy management plays a significant role in brand protection and brand value

Recognizing the Societal Value in Information Privacy

Much has been written about database privacy in the Internet Age, most of it critical of the way in which the American legal system addresses the issue. In this article, Professor Nehf maintains that one of the fundamental difficulties with the public policy debates is that information privacy is often discussed as a typical consumer problem rather than a problem of more general societal concern. As a result, arguments over appropriate resolutions reduce to a balancing of individual rights against more general societal interests, such as increased efficiency in law enforcement, government operations or commercial enterprise. Although privacy scholars discussed the societal value of information privacy in the 1960s and early 1970s, the concept was not fully developed. More recently, political theorists have revived the idea and argue the importance of recognizing privacy as a societal norm. Professor Nehf adopts a functional analysis that compares information privacy to other societal values, such as environmental protection, and concludes that privacy policy could take a different form if the issue were viewed in this way